S3 bucket policy, how to ALLOW a IAM group from another account?

问题

I have one S3 bucket in one AWS account (say arn:aws:s3:::my-test-bucket), that needs to be accessed by a IAM group that is defined in another AWS account (say arn:aws:iam::1111222333444:group/mygroup). The following access policy refuses to save, and tells that arn:aws:s3:::my-test-bucket is an invalid principal.

{
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:List*",
                "s3:Get*"
            ],
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1111222333444:group/mygroup"
            },
            "Resource": [
                "arn:aws:s3:::my-test-bucket",
                "arn:aws:s3:::my-test-bucket/*"
            ],
            "Sid": "allow-put-for-dedicated-group"
        }
    ],
}

I have tested by replacing the group with one of the users of the other account and this works:

{
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:List*",
                "s3:Get*"
            ],
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1111222333444:user/me"
            },
            "Resource": [
                "arn:aws:s3:::my-test-bucket",
                "arn:aws:s3:::my-test-bucket/*"
            ],
            "Sid": "allow-put-for-dedicated-user"
        }
    ],
}

The group is existing, I do not understand why it says it is an invalid principal. In fact it does not accept any group of my other account.

Does anyone have an explanation (and possibly a solution) to this behaviour?

Thanks in advance, Cheers

回答1:

IAM groups are not valid principals in S3 bucket policies. See this AWS forum post and this SO post for more discussion.

Here's one possible idea: create an IAM role (for example "cross-account-s3") in account #1 (the account with the S3 bucket). That role should have a policy that allows the appropriate S3 bucket access and it should have a trust relationship that says the root user in account #2 has sts:AssumeRole. Then in account #2 give the relevant IAM group a policy that allows users in that group to assume the cross-account-s3 role from account #1. I guess this requires you to trust the IAM admins in the 2nd account to not allow the wrong users to assume the cross-account-s3 role.

来源：https://stackoverflow.com/questions/30667678/s3-bucket-policy-how-to-allow-a-iam-group-from-another-account